mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,59 @@
|
||||
# API Reference: Performing Deception Technology Deployment
|
||||
|
||||
## Canary Tokens API (canarytokens.org)
|
||||
|
||||
| Endpoint | Method | Description |
|
||||
|----------|--------|-------------|
|
||||
| `/generate` | POST | Generate a new canary token (DNS, HTTP, file) |
|
||||
| `/history` | GET | Retrieve alert history for a token |
|
||||
| `/manage` | GET | List all deployed tokens |
|
||||
|
||||
## Thinkst Canary API
|
||||
|
||||
| Endpoint | Method | Description |
|
||||
|----------|--------|-------------|
|
||||
| `/api/v1/canarytokens/create` | POST | Create a new canarytoken |
|
||||
| `/api/v1/incidents/all` | GET | List all triggered incidents |
|
||||
| `/api/v1/device/list` | GET | List deployed Canary devices |
|
||||
|
||||
## Honeypot Components (stdlib)
|
||||
|
||||
| Module | Description |
|
||||
|--------|-------------|
|
||||
| `http.server.HTTPServer` | HTTP honeypot listener |
|
||||
| `socketserver.TCPServer` | Generic TCP honeypot |
|
||||
| `secrets.token_hex()` | Generate unique token IDs |
|
||||
| `hashlib.sha256()` | Hash canary file content for integrity |
|
||||
|
||||
## Key Libraries
|
||||
|
||||
- **secrets** (stdlib): Cryptographically secure token generation
|
||||
- **http.server** (stdlib): HTTP honeypot server implementation
|
||||
- **socket** (stdlib): TCP/UDP honeypot listeners
|
||||
- **hashlib** (stdlib): File integrity hashing for canary files
|
||||
- **threading** (stdlib): Run honeypot services in background threads
|
||||
|
||||
## Honeytoken Types
|
||||
|
||||
| Type | Deployment | Alert Trigger |
|
||||
|------|------------|---------------|
|
||||
| Credential | AD, LSASS, config files | Any authentication attempt |
|
||||
| Canary File | Network shares, endpoints | File open/read access |
|
||||
| DNS Token | Documents, scripts | DNS resolution |
|
||||
| AWS Key | Code repos, config files | AWS API call with key |
|
||||
| HTTP Token | Documents, emails | HTTP GET request |
|
||||
|
||||
## Configuration
|
||||
|
||||
| Variable | Description |
|
||||
|----------|-------------|
|
||||
| `CANARY_API_KEY` | Thinkst Canary API key |
|
||||
| `CANARY_DOMAIN` | Canary DNS domain for token callbacks |
|
||||
| `HONEYPOT_PORT` | Port for HTTP honeypot listener |
|
||||
|
||||
## References
|
||||
|
||||
- [Canarytokens.org](https://canarytokens.org/)
|
||||
- [Thinkst Canary](https://canary.tools/)
|
||||
- [MITRE ATT&CK D3FEND - Decoy](https://d3fend.mitre.org/technique/d3f:Decoy/)
|
||||
- [OpenCanary](https://github.com/thinkst/opencanary)
|
||||
@@ -0,0 +1,213 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Deception Technology Deployment Agent
|
||||
Deploys and manages honeypots, honeytokens, and canary files to detect
|
||||
lateral movement and credential abuse with near-zero false positive alerts.
|
||||
"""
|
||||
|
||||
import hashlib
|
||||
import json
|
||||
import os
|
||||
import secrets
|
||||
import socket
|
||||
import sys
|
||||
import threading
|
||||
from datetime import datetime, timezone
|
||||
from http.server import HTTPServer, BaseHTTPRequestHandler
|
||||
|
||||
|
||||
def generate_honeytoken_credentials(count: int = 5) -> list[dict]:
|
||||
"""Generate fake credential honeytokens for deployment in AD and databases."""
|
||||
honeytokens = []
|
||||
templates = [
|
||||
("svc_backup_admin", "Service account - backup system"),
|
||||
("admin_legacy", "Legacy admin account"),
|
||||
("db_migration_user", "Database migration service account"),
|
||||
("api_service_prod", "Production API service account"),
|
||||
("deploy_automation", "CI/CD deployment service account"),
|
||||
]
|
||||
|
||||
for i in range(min(count, len(templates))):
|
||||
username, description = templates[i]
|
||||
token_id = secrets.token_hex(4)
|
||||
honeytokens.append({
|
||||
"token_id": f"HT-{token_id}",
|
||||
"type": "credential",
|
||||
"username": f"{username}_{token_id[:4]}",
|
||||
"password": secrets.token_urlsafe(24),
|
||||
"description": description,
|
||||
"deployment_location": "Active Directory / LSASS memory",
|
||||
"alert_on": "Any authentication attempt",
|
||||
"created": datetime.now(timezone.utc).isoformat(),
|
||||
})
|
||||
|
||||
return honeytokens
|
||||
|
||||
|
||||
def generate_canary_files(output_dir: str, count: int = 5) -> list[dict]:
|
||||
"""Generate canary files that trigger alerts when accessed."""
|
||||
canary_templates = [
|
||||
("passwords.xlsx", "Fake password spreadsheet"),
|
||||
("salary_data_2024.csv", "Fake salary data"),
|
||||
("aws_credentials.txt", "Fake AWS access keys"),
|
||||
("vpn_config_backup.ovpn", "Fake VPN configuration"),
|
||||
("database_backup_prod.sql", "Fake database backup"),
|
||||
]
|
||||
|
||||
canary_files = []
|
||||
os.makedirs(output_dir, exist_ok=True)
|
||||
|
||||
for i in range(min(count, len(canary_templates))):
|
||||
filename, description = canary_templates[i]
|
||||
filepath = os.path.join(output_dir, filename)
|
||||
token_id = secrets.token_hex(4)
|
||||
|
||||
content = f"# CANARY FILE - Token: {token_id}\n"
|
||||
content += f"# This file is a decoy. Any access triggers a security alert.\n"
|
||||
content += f"# Description: {description}\n"
|
||||
content += f"# Generated: {datetime.now(timezone.utc).isoformat()}\n\n"
|
||||
|
||||
if "credentials" in filename or "password" in filename:
|
||||
content += "admin:P@ssw0rd_fake_canary_2024\n"
|
||||
content += "root:SuperSecret_fake_canary!\n"
|
||||
elif "aws" in filename:
|
||||
content += f"[default]\naws_access_key_id = AKIA{secrets.token_hex(8).upper()}\n"
|
||||
content += f"aws_secret_access_key = {secrets.token_hex(20)}\n"
|
||||
|
||||
with open(filepath, "w") as f:
|
||||
f.write(content)
|
||||
|
||||
canary_files.append({
|
||||
"token_id": f"CF-{token_id}",
|
||||
"type": "canary_file",
|
||||
"filename": filename,
|
||||
"filepath": filepath,
|
||||
"description": description,
|
||||
"sha256": hashlib.sha256(content.encode()).hexdigest(),
|
||||
"alert_on": "File open / read access",
|
||||
"created": datetime.now(timezone.utc).isoformat(),
|
||||
})
|
||||
|
||||
return canary_files
|
||||
|
||||
|
||||
def generate_dns_canary_tokens(domain: str, count: int = 3) -> list[dict]:
|
||||
"""Generate DNS canary tokens that alert on resolution."""
|
||||
tokens = []
|
||||
for i in range(count):
|
||||
token_id = secrets.token_hex(8)
|
||||
hostname = f"{token_id}.{domain}"
|
||||
tokens.append({
|
||||
"token_id": f"DNS-{token_id[:8]}",
|
||||
"type": "dns_canary",
|
||||
"hostname": hostname,
|
||||
"usage": f"Embed in config files, documents, or network shares",
|
||||
"alert_on": "DNS resolution of hostname",
|
||||
"created": datetime.now(timezone.utc).isoformat(),
|
||||
})
|
||||
|
||||
return tokens
|
||||
|
||||
|
||||
class HoneypotHTTPHandler(BaseHTTPRequestHandler):
|
||||
"""Simple HTTP honeypot handler that logs all requests."""
|
||||
|
||||
alerts = []
|
||||
|
||||
def do_GET(self):
|
||||
alert = {
|
||||
"timestamp": datetime.now(timezone.utc).isoformat(),
|
||||
"source_ip": self.client_address[0],
|
||||
"source_port": self.client_address[1],
|
||||
"method": "GET",
|
||||
"path": self.path,
|
||||
"headers": dict(self.headers),
|
||||
"severity": "HIGH",
|
||||
}
|
||||
HoneypotHTTPHandler.alerts.append(alert)
|
||||
print(f"[ALERT] Honeypot hit: {alert['source_ip']} -> GET {self.path}")
|
||||
self.send_response(401)
|
||||
self.send_header("WWW-Authenticate", 'Basic realm="Restricted Area"')
|
||||
self.end_headers()
|
||||
self.wfile.write(b"Authentication Required")
|
||||
|
||||
def do_POST(self):
|
||||
content_length = int(self.headers.get("Content-Length", 0))
|
||||
body = self.rfile.read(content_length).decode("utf-8", errors="ignore")
|
||||
|
||||
alert = {
|
||||
"timestamp": datetime.now(timezone.utc).isoformat(),
|
||||
"source_ip": self.client_address[0],
|
||||
"method": "POST",
|
||||
"path": self.path,
|
||||
"body_preview": body[:200],
|
||||
"severity": "CRITICAL",
|
||||
}
|
||||
HoneypotHTTPHandler.alerts.append(alert)
|
||||
print(f"[ALERT] Honeypot credential capture: {alert['source_ip']}")
|
||||
self.send_response(403)
|
||||
self.end_headers()
|
||||
self.wfile.write(b"Access Denied")
|
||||
|
||||
def log_message(self, format, *args):
|
||||
pass
|
||||
|
||||
|
||||
def start_http_honeypot(host: str = "0.0.0.0", port: int = 8888) -> HTTPServer:
|
||||
"""Start an HTTP honeypot server in a background thread."""
|
||||
server = HTTPServer((host, port), HoneypotHTTPHandler)
|
||||
thread = threading.Thread(target=server.serve_forever, daemon=True)
|
||||
thread.start()
|
||||
print(f"[*] HTTP honeypot listening on {host}:{port}")
|
||||
return server
|
||||
|
||||
|
||||
def generate_deployment_report(
|
||||
credentials: list, canary_files: list, dns_tokens: list
|
||||
) -> str:
|
||||
"""Generate deception technology deployment report."""
|
||||
total = len(credentials) + len(canary_files) + len(dns_tokens)
|
||||
lines = [
|
||||
"DECEPTION TECHNOLOGY DEPLOYMENT REPORT",
|
||||
"=" * 50,
|
||||
f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
|
||||
f"Total Decoys Deployed: {total}",
|
||||
"",
|
||||
f"HONEYTOKEN CREDENTIALS ({len(credentials)}):",
|
||||
]
|
||||
for cred in credentials:
|
||||
lines.append(f" [{cred['token_id']}] {cred['username']} - {cred['description']}")
|
||||
|
||||
lines.append(f"\nCANARY FILES ({len(canary_files)}):")
|
||||
for cf in canary_files:
|
||||
lines.append(f" [{cf['token_id']}] {cf['filename']} - {cf['description']}")
|
||||
|
||||
lines.append(f"\nDNS CANARY TOKENS ({len(dns_tokens)}):")
|
||||
for dns in dns_tokens:
|
||||
lines.append(f" [{dns['token_id']}] {dns['hostname']}")
|
||||
|
||||
return "\n".join(lines)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
output_dir = sys.argv[1] if len(sys.argv) > 1 else "canary_files"
|
||||
dns_domain = sys.argv[2] if len(sys.argv) > 2 else "canary.example.com"
|
||||
|
||||
print("[*] Deploying deception technology...")
|
||||
|
||||
credentials = generate_honeytoken_credentials(5)
|
||||
canary_files = generate_canary_files(output_dir, 5)
|
||||
dns_tokens = generate_dns_canary_tokens(dns_domain, 3)
|
||||
|
||||
report = generate_deployment_report(credentials, canary_files, dns_tokens)
|
||||
print(report)
|
||||
|
||||
inventory = {
|
||||
"credentials": credentials,
|
||||
"canary_files": canary_files,
|
||||
"dns_tokens": dns_tokens,
|
||||
}
|
||||
output = f"deception_inventory_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
|
||||
with open(output, "w") as f:
|
||||
json.dump(inventory, f, indent=2)
|
||||
print(f"\n[*] Inventory saved to {output}")
|
||||
Reference in New Issue
Block a user